diff options
| author | Dmitry Kozlov <xeb@mail.ru> | 2018-10-26 06:34:59 +0300 |
|---|---|---|
| committer | Dmitry Kozlov <xeb@mail.ru> | 2018-10-26 06:34:59 +0300 |
| commit | 363ac4b5603e0f18d1e1e3e8466a3983b88ce375 (patch) | |
| tree | 7e69d867ef8fb381db72fb53e1ff398a0242003a /accel-pppd | |
| parent | d0c166d177eb6251cfed52ce646f8f99f004ac09 (diff) | |
| parent | 17ff40f36a81dabecfb490b6d1fca70ae94c8c34 (diff) | |
| download | accel-ppp-xebd-363ac4b5603e0f18d1e1e3e8466a3983b88ce375.tar.gz accel-ppp-xebd-363ac4b5603e0f18d1e1e3e8466a3983b88ce375.zip | |
Merge branch 'master' of https://github.com/xebd/accel-ppp
Diffstat (limited to 'accel-pppd')
| -rw-r--r-- | accel-pppd/ctrl/sstp/sstp.c | 23 | ||||
| -rw-r--r-- | accel-pppd/extra/chap-secrets.c | 3 | ||||
| -rw-r--r-- | accel-pppd/extra/ippool.c | 3 | ||||
| -rw-r--r-- | accel-pppd/extra/ipv6pool.c | 2 |
4 files changed, 29 insertions, 2 deletions
diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index e60d2cb..af6bc77 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -2328,6 +2328,16 @@ static int ssl_servername(SSL *ssl, int *al, void *arg) } #endif +#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) +static void ssl_info_cb(const SSL *ssl, int where, int ret) +{ + if ((where & SSL_CB_HANDSHAKE_DONE) != 0) { + /* disable renegotiation (CVE-2009-3555) */ + ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } +} +#endif + static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) { SSL_CTX *old_ctx, *ssl_ctx = NULL; @@ -2358,7 +2368,11 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) opt = conf_get_opt("sstp", "accept"); if (opt && strhas(opt, "ssl", ',')) { legacy_ssl: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ssl_ctx = SSL_CTX_new(TLS_server_method()); +#else ssl_ctx = SSL_CTX_new(SSLv23_server_method()); +#endif if (!ssl_ctx) { log_error("sstp: SSL_CTX error: %s\n", ERR_error_string(ERR_get_error(), NULL)); goto error; @@ -2368,11 +2382,14 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | #endif +#ifdef SSL_OP_NO_RENGOTIATION + SSL_OP_NO_RENGOTIATION | +#endif #ifndef OPENSSL_NO_DH SSL_OP_SINGLE_DH_USE | #endif #ifndef OPENSSL_NO_ECDH - SSL_OP_SINGLE_ECDH_USE | + SSL_OP_SINGLE_ECDH_USE | #endif SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | @@ -2469,6 +2486,10 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) if (servername && SSL_CTX_set_tlsext_servername_callback(ssl_ctx, ssl_servername) != 1) log_warn("sstp: SSL server name check error: %s\n", ERR_error_string(ERR_get_error(), NULL)); #endif + +#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) + SSL_CTX_set_info_callback(ssl_ctx, ssl_info_cb); +#endif } else { /* legacy option, to be removed */ opt = conf_get_opt("sstp", "ssl"); diff --git a/accel-pppd/extra/chap-secrets.c b/accel-pppd/extra/chap-secrets.c index becb687..92cfb42 100644 --- a/accel-pppd/extra/chap-secrets.c +++ b/accel-pppd/extra/chap-secrets.c @@ -24,7 +24,7 @@ static char *def_chap_secrets = "/etc/ppp/chap-secrets"; static char *conf_chap_secrets; static int conf_encrypted; static in_addr_t conf_gw_ip_address = 0; -static int conf_netmask; +static int conf_netmask = 0; static void *pd_key; static struct ipdb_t ipdb; @@ -762,6 +762,7 @@ static void load_config(void) parse_gw_ip_address(opt); else { conf_gw_ip_address = 0; + conf_netmask = 0; } opt = conf_get_opt("chap-secrets", "encrypted"); diff --git a/accel-pppd/extra/ippool.c b/accel-pppd/extra/ippool.c index 0c0831c..73ad398 100644 --- a/accel-pppd/extra/ippool.c +++ b/accel-pppd/extra/ippool.c @@ -264,6 +264,7 @@ static void generate_pool_p2p(struct ippool_t *p) break; } + memset(it, 0, sizeof(*it)); it->pool = p; it->it.owner = &ipdb; if (conf_gw_ip_address) @@ -304,6 +305,7 @@ static void generate_pool_net30(struct ippool_t *p) break; } + memset(it, 0, sizeof(*it)); it->pool = p; it->it.owner = &ipdb; it->it.addr = addr[1]->addr; @@ -443,6 +445,7 @@ static int session_restore(struct ap_session *ses, struct backup_mod *m) ses->ipv4 = &it0->it; else { ses->ipv4 = _malloc(sizeof(*ses->ipv4)); + memset(ses->ipv4, 0, sizeof(*ses->ipv4)); ses->ipv4->addr = addr; ses->ipv4->peer_addr = peer_addr; ses->ipv4->owner = &ipdb_b; diff --git a/accel-pppd/extra/ipv6pool.c b/accel-pppd/extra/ipv6pool.c index 6fa5cc5..4f29a28 100644 --- a/accel-pppd/extra/ipv6pool.c +++ b/accel-pppd/extra/ipv6pool.c @@ -83,6 +83,7 @@ static void generate_ippool(struct in6_addr *addr, int mask, int prefix_len) while (in6_addr_cmp(&ip, &end) <= 0) { it = malloc(sizeof(*it)); + memset(it, 0, sizeof(*it)); it->it.owner = &ipdb; INIT_LIST_HEAD(&it->it.addr_list); a = malloc(sizeof(*a)); @@ -119,6 +120,7 @@ static void generate_dppool(struct in6_addr *addr, int mask, int prefix_len) while (in6_addr_cmp(&ip, &end) <= 0) { it = malloc(sizeof(*it)); + memset(it, 0, sizeof(*it)); it->it.owner = &ipdb; INIT_LIST_HEAD(&it->it.prefix_list); a = malloc(sizeof(*a)); |